Post on 07-Jan-2016
description
transcript
MPLS VPN Technology Basics
Mitrabh Shukla
National IP Manager
2 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
Agenda
VPN Concepts
Terminology
VPN Connection model
Forwarding Example
VPN Topologies
3 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
What is an MPLS-VPN?
An IP network infrastructure delivering private network services over a public infrastructure
Use a layer 3 backbone
Scalability, easy provisioning
Global as well as non-unique private address space
QoS
Controlled access
Easy configuration for customers
4 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
VPN Models
There are two basic types of design models that deliver VPN functionality
Overlay Model
Peer Model
5 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
The Overlay model
Private trunks over a TELCO/SP shared infrastructure
Leased/Dialup lines
FR/ATM circuits
IP (GRE) tunnelling
Transparency between provider and customer networks
Optimal routing requires full mesh over over backbone
6 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
The Peer model
Both provider and customer network use same network protocol and control plane
CE and PE routers have routing adjacency at each site
All provider routers hold the full routing information about all customer networks
Private addresses are not allowed
May use the virtual router capability
Multiple routing and forwarding tables based on Customer Networks
7 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
MPLS-VPN = True Peer model
MPLS-VPN is similar in operation to peer model
Provider Edge routers receive and hold routing information only about VPNs directly connected
Reduces the amount of routing information a PE router will store
Routing information is proportional to the number of VPNs a router is attached to
MPLS is used within the backbone to switch packets (no need of full routing)
8 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
MPLS VPN Connection Model
A VPN is a collection of sites sharing a common routing information (routing table)
A site can be part of different VPNs
A VPN has to be seen as a community of interest (or Closed User Group)
Multiple Routing/Forwarding instances (VRF) on PE
9 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
MPLS VPN Connection Model
A site belonging to different VPNs may or MAY NOT be used as a transit point between VPNs
If two or more VPNs have a common site, address space must be unique among these VPNs
Site-1
Site-3
Site-4
Site-2
VPN-A
VPN-C
VPN-B
10 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
MPLS VPN Connection Model
The VPN backbone is composed by MPLS LSRs
PE routers (edge LSRs)
P routers (core LSRs)
The customer router connecting to the VPN backbone is called the Customer Edge (CE)
PE routers are faced to CE routers and distribute VPN information through MP-BGP to other PE routers
VPN-IPv4 addresses, Extended Community, Label
P routers do not run MP-BGP and do not have any VPN knowledge
11 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
MPLS VPN Components
LSR LSR
LSR LSR
ELSR
ELSR
P Network(Provider Control)
PECE CEPE
ELSR
ELSR
C Network(Customer Control)
C Network(Customer Control)
P
12 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
PE-CE Routing
PE and CE routers exchange routing information through eBGP, Static, OSPF, ISIS, RIP, EIGRP
The CE router runs standard routing software, not aware it is connected to a VPN network
PE
CE2
CE1
PE-CE routing
13 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
PE-CE routing protocols
Static/BGP are the most scalable
Single PE router can support 100s or 1000s of CE routers
BGP is the most flexible
Particularly for multi-homing but not popular with Enterprise
Very useful if Enterprise requires Internet routes
Use the others to meet customer requirements
OSPF popular with Enterprises but sucks up processes
EIGRP not popular with Service Providers (Cisco proprietary)
IS-IS less prevalent in Enterprise environments
RIPv2 provides very simple functionality
14 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
VRF
Site A
Routing Protocol Contexts
Routing
processes
Routing
contexts
VRF Routing
tables
VRF Forwarding
tables
Routing processes run within specific routing contexts
Populate specific VPN routing table and FIBs (VRF)
Interfaces are assigned to VRFs
RIP Static
RIP
2
RIP
1
BGP
3
BGP
2
BGP
1
BGP
VRF
Site B
VRF
Site C
15 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
VRF
Site A
VRF
Site B
VRF
Site C
OSPF and Single Routing Instances
OSPFRouting processes
Routing
contexts
VRF Routing
tables
VRF Forwarding
tables
With OSPF there is a single process per VRF
Same for IS-IS
No routing contexts
Prior to 12.0(27)S and 12.3(4)T maximum of 28 processes allowed
OSPF OSPF
16 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
Routing Tables
PE routers maintain separate routing tables
Global Routing Table
All the PE and P routes populated by the VPN backbone IGP (ISIS or OSPF)
VPN Routing and Forwarding Tables (VRF)
Routing and Forwarding table associated with one or more directly connected sites (CEs)
VRF are associated to (sub/virtual/tunnel) interfaces
Interfaces may share the same VRF if the connected sites may share the same routing information
PE
CE2
CE1
PE-CE routingVPN Backbone IGP (OSPF, ISIS)
VRF
Global Routing Table
17 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
IGP and label distribution in the backbone
All routers (P and PE) run an IGP and label distribution protocol
Each P and PE router has routes for the backbone nodes and a label is associated to each route
MPLS forwarding is used within the core
PE1 PE2P1 P2
CE2
CE1
CE4
CE3
Dest Next Hop IN OUT
PE2 P1 17 50
P2 P1 18 65
P1 S0/0 19 POP
Dest Next Hop IN OUT
PE2 P2 50 34
P2 E0/2 65 POP
PE1 S3/0 67 POP
Dest Next Hop IN OUT
PE2 P1 34 POP
P1 E0/1 38 POP
PE1 P1 39 67
Dest Next Hop IN OUT
P1 P2 44 38
P2 P2 36 65
PE1 P2 18 39
LFIB for PE-1 LFIB for P1 LFIB for P2 LFIB for PE2
18 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
VPN Routing and Forwarding Table
Multiple routing tables (VRFs) are used on PEs
Each VRF contain customer routes
Customer addresses can overlap
VPNs are isolated
Multi-Protocol BGP (MP-BGP) is used to propagate these addresses + labels between PE routers only
PE1 PE2P1 P2
CE2
CE1
CE4
CE3
MP-iBGP session
19 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
MPLS VPN Requirements
VPN services allow
Customers to use the overlapping address space
Isolate customer VPNs Intranets
Join VPNs - Extranets
MPLS-VPN backbone MUST
Distinguish between customer addresses
Forward packets to the correct destination
PE1 PE2P1 P2
CE2
CE1
CE4
CE3
MP-iBGP session
20 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
VPN Address Overlap
BGP propagates ONE route per destination
Standard path selection rules are used
What if two customers use the same address?
BGP will propagate only one route - PROBLEM !!!
Therefore MP-BGP must DISTINGUISH between customer addresses
PE1 PE2P1 P2
CE2
CE1
CE4
CE3
MP-iBGP session
21 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
VPN Address Overlap
When PE router receives VPN routes from MP-BGP how do we know what VRF to place route in?
How do we distinguish overlapping addresses between two VPNs
PE1 PE2P1 P2
CE2
CE1
CE4
CE3
MP-iBGP session
22 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
x
x
Route-Target and Route-Distinguisher
MP-BGP prepends an Route Distinguisher (RD) to each VPN route in order to make it unique
MP-BGP assign a Route-Target (RT) to each VPN route to identify VPN it belongs to (or CUG)
Route-Target is the colour of the route
VPN-IPv4 update:
RD1:X, Next-hop=PE1
RT=RED, Label=10
update X
PE1 PE2P1 P2
CE2
CE1
CE4
CE3
MP-iBGP session
update X
VPN-IPv4 update:
RD2:X, Next-hop=PE1
RT=ORANGE, Label=12
update X
update X
VPN-IPv4 updates are
translated into IPv4
address and inserted into
the VRF corresponding to
the RT value
23 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
Route Propagation through MP-BGP
When a PE router receives an MP-BGP VPN route:
It checks the route-target value to VRF route-targets
If match then route is inserted into appropriate VRF
The label associated with the VPN route is stored and used to send packets towards the destination
x
x
VPN-IPv4 update:
RD1:X, Next-hop=PE1
RT=RED, Label=10
update X
PE1 PE2P1 P2
CE2
CE1
CE4
CE3
MP-iBGP session
update X
VPN-IPv4 update:
RD2:X, Next-hop=PE1
RT=ORANGE, Label=12
update X
update X
VPN-IPv4 updates are
translated into IPv4
address and inserted into
the VRF corresponding to
the RT value
24 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
Multi-Protocol BGP
Propagates VPN routing information
Customer routes held in VPN Routing and Forwarding tables (VRFs)
Only runs on Provider Edge
P routers are not aware of VPNs only labels
PEs are fully meshed
Using Route Reflectors or direct peerings between PE routers
25 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
MPLS VPN Protocols
OSPF/IS-IS
Used as IGP provides reachability between all Label Switch Routers (PE P PE)
TDP/LDP
Distributes label information for IP destinations in core
MP-BGP4
Used to distribute VPN routing information between PEs
RIPv2/BGP/OSPF/eiGRP/ISIS/Static
Can be used to route between PE and CE
26 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
VPN Components
VRF Tables
Hold customer routes at PE
Route-Distinguisher
Allows MP-BGP to distinguish between identical customer routes that are in different VPNs
Route-Targets
Used to import and export routes between different VRF tables (creates Intranets and Extranets)
Route-maps
Allows finer granularity and control of importing exporting routes between VRFs instead of just using route-target
27 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use MP-BGP between PE router to distribute routes between VPNs
MPLS VPN Operation
PP
PE PE
PE
IGP (OSPF,ISIS) used to establish reachability to destination networks.
Label Distribution Protocol establishes mappings to IGP addresses
CE CE
CECE
CE-PE dynamic routing (or static) populate the VRF routing tables
Customer routes placed into separate VRF tables at each PE
PE
= RT?= RT?
Import routes into VRF if route-targets match (export = import)
RD +RD +
RD +RD + RD +
VPN labels, RTs
VPN labels, RTs
SiSi SiSi
RR
RR
28 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
MPLS VPN Label Stack
There are at least two labels when using MPLS-VPN
The first label is distributed by TDP/LDP
Derived from an IGP route
Corresponds to a PE address (VPN egress point)
PE addresses are MP-BGP next-hops of VPN routes
The second label is distributed MP-BGP
Corresponds to the actual VPN route
Identifies the PE outgoing interface or routing table
Label 2 L3 Header DataLabel 1L2 Header
Frame, e.g. HDLC, PPP, Ethernet
29 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
MPLS VPN ForwardingExample
SiSiSiSi
PE
PP
PE
CE CE
PE PE
CECE
Push VPN Label
(Red Route)
Push IGP Label
(Green PE Router)
Swap IGP Label
(From LFIB)
POP IGP Label
(Pentultimate Hop)
Pop VPN Label
(Red Route)
30 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
FinanceSite 3
MPLS Core
Basic Intranet Full Mesh
VRF
FinanceSite 1
FinanceSite 2
FF
F
F FF
FF
F
F FF
FF
F
F FF
VLAN 205
Each site has of all other sites (same VPN)
CE can be router or switch
MP-BGP VPNv4 updates propagated between PEs
Routing is optimal in the backbone
No site is used as central point for connectivity
31 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
Basic Extranet Partial Mesh
DesignSite A (DA)
DesignSite B (DB)
EngineeringSite B (EB)
EngineeringSite A (EA)
DD
DD
D
VRF
D
D
DD
D
EBEBEB
EB
EA
EAEB
EB
DADADA
EE
EE
E
E
E
EE
E
DADADA MPLS Core
Basic Extranet
Routes can be imported directly into corresponding VRF
NAT may be necessary if Enterprise have overlapping addressing
Import granularity can be very fine Single host address can be imported as Extranet route
32 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
MPLS Core
VRF
Bank Branch 1
S1X
BankBranch 2
VRF
S1S2
XS3
S2X
S3X
VRF
BankBranch 3
S1h
S2hS3h
S2h
S1hS2h
S3hS1h
S3h
Hub IN
Spoke OUT
Central HQ
Optional
Firewall
NAT to X
BGP/OSPF/RIP
routing
BGP/OSPF/RIP
routing
Branch to HQ Hub and Spoke
Forces all branches through the Central HQ
Spokes cannot communicate directly
Appropriate security screening can be applied
Firewalls can be used with NAT to ensure correct return path
S3S3
S1
S2
33 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
MPLS Core
Per Group Internet Access
VRF
Marketing
Sales
Legal
Gateway 1
MM
M
D1
L
D3
LS
M
D2
IISM
D1
SS
SS
D1Gateway 2
Gateway 3
LL
LL
D3
Internet
Internet
Internet Legal Only
Legal/Sales & Marketing Backup
Sales and Marketing
Choose appropriate Internet Gateway per group requirements
Use other gateways as backup in case of failure
Gateways can provide different service attributes/levels
Speed of access
Type of Content accessed
Address translation if required
34 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
VPN with Internet
This example uses default route only to access Internet
If customer addresses are RFC1983 then NAT must be done
Can be done at Internet Gateway or at customer edge
Another model could use default route pointing to gateway in the global table
This assumes that customer uses registered address space
35 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
MPLS Core
Enterprise Disaster Recovery
VRF
Backup Data Centre
(LOCALPREF=50)Primary Data Centre
(LOCALPREF=100)
Site 1S1
C
C
C
S2C
C
C
Site 2
Site 3
S1
C
C
CS2S3
S1
C
C
CS2S3
S3C
C
C
CC C C
C C
Disaster recovery can be provided to each site in the Enterprise
If Primary site fails, Backup site takes over with no intervention
Virtualisation/Mirroring takes place between Primary/Secondary
36 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
VRF
MPLS Core
POP 3
AS100
P2
P1
P3
P2
P1
P3
P2
P1
P3
P2
P1
P3
P2
P1
P3
P2
P1
P3
POP 2
AS100
POP 1
AS100
Import/Export IGP
routes
iBGP session
iBGP session
iBGP session
Carrier Supporting Carrier
B B BB
B B BB
B B BB
37 Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
ISP Backup
Tier 3 ISP VRF
Internet Gateway
BGP Routes in
Internet Gateway
BGP Routes from Internet
Gateway
B B BB
AS
12701
AS
17897
MPLS Core
VRF
T T T
T T
T D
T T
T D
L1
L2
Loopback is L1
Loopback is L2 B B BB
T T TL2
L2
VRFT T
T DL2
Backup Gateway
Loopback is L1
L1
L1
L1
Interne
t
Interne
t
Primary Internet Path